Decrypt This: Why is router security so full of holes?

With every fresh wave of new routers and networking equipment that hits the shelves comes the promise of a new age of functionality, usability, and security. Whether it’s the newest Nighthawk from Netgear or just another in a long line from Linskys, I’m always surprised at the bells-and-whistles companies can come up with.

But, despite continued innovation in the market, it’s becoming apparent that a change in how we protect home networks should be at the top of everyone’s to-do list. Router makers need to step up their game if the wireless hardware of today is to protect us from whatever threats might show up tomorrow.

According to a report released earlier this year, upwards of 75% of all routers provided by ISPs contain software or firmware that can be easily exploited by hackers. Even amateurs are discovering how easy it can be to plow straight past a router’s internal defenses without issue.

Papers, please

Why do router flaws matter? To start, let’s get to know the basics of what makes a modern router tick. For almost all of their history, routers made for the consumer market have relied on three key safeguards: certificates, signatures, and firmware.

Every piece in the puzzle is an essential building block of what makes your router secure, and no one part can function on its own without the support of the others. When working in tandem, they can each help to protect a different part of your connected experience, whether it’s checking emails, downloading/installing software, or visiting websites you might not recognize before clicking in.

And even with all their apparent vulnerabilities and shortcomings, these systems are (and probably always will be) a necessary pillar in the ecosystem of Internet security. It’s only recently that analysts and industry experts have started to realized that the foundation which makes their use possible is starting to show signs of weakness, and is close to failing entirely if the stream of modern malware offensives continues to pile on.

It’s all about the Benjamins

The idea that most standard home internet routers are incapable of protecting users from a truly determined hacker shouldn’t be a secret to anyone by this point. While most broadly-cast campaigns like those designed to distribute spam or common malware programs are usually swatted away by a router’s internal firewall, if someone targets you specifically for an attack and wants to slip their way past the perimeter, a $39 dollar D-Link from Walmart isn’t going to stand in their way.

But why?

Why, even after 30 years in business and thousands of revisions to their hardware, are the biggest manufacturers in home networking equipment still struggling to create a device that can effectively protect home Internet users?

To put it in (very) simple terms; it all comes down to cost.

Since close to the inception of the web itself, the data security industry has struggled to retain talented engineers and programmers who know the mathematics of what it takes to break any given encryption protocol in two.

Rooting out holes in router security products is big business for global criminal networks.

Even though a top data scientist working to build firewalls for Netgear might be able to pull $80,000 a year before taxes, another top data scientist halfway across the world could make twice that salary in a less than a day by figuring out how to tunnel under a router’s protect fence unnoticed.

These are people who, despite pursuing a passion for the same subjects in school, each decided to take a slightly different path with the skills they’d picked up along the way. One works to help strengthen the Internet for a living, creating new protection methods to better preserve privacy online, while the other maneuvers around these safeguards, ducking and weaving between the whitehat’s defenses in hot pursuit of profits.

Rooting out holes in router security products is big business for the global criminal networks that make it their main source of income. They buy and sell what’s known as “zero-days”, or previously undiscovered cracks in the code of software, hardware, and operating systems. Each newly unearthed exploit can yield the hacker responsible anywhere from a few hundred dollars to tens of thousands at a time, a value that’s calculated on how widespread the effect of the crack will be against how long it’s predicted to stay functional before being patched out.

Even corporations have budgets

Details of the zero-day market can be tricky however, and the answer isn’t always simply to throw more money at the good guys and hope they stick to the righteous path after the check is already cashed. In her report “The Vulns of Wall Street” published on Tuesday, CPO of HackerOne Katie Moussouris explains why the problem runs deeper than just the dollar amount that’s being passed around between hackers on the underground circuit.

“Defenders throwing more bodies or money towards trying to find more vulnerabilities than the offense side can help, but not as efficiently as other measures,” Moussouris says in the report. “Sell a couple bugs per year, and talented developers who can write fuzzers and determine which bugs are exploitable won’t need to work much harder to earn much higher paydays than any software maker could sustainably afford to pay them.”

The assumption that companies have limitless R&D budgets is incorrect.

The (incorrect) assumption many people make here is that because companies like Cisco and Linksys are massive corporations with swollen R&D budgets, they should be able to afford to win the bidding war. Unfortunately, there’s still not a company on earth able to match the salary that a blackhat hacker could make by stealing 70 million credit cards from Target at a time.

Yes, Target had a hired staff of security engineers who were paid well enough to watch out for exactly this type of nightmare scenario. But as long as we continue to swipe, type, and tap our precious financial data into these types of systems, the opportunity for lucrative zero-day payouts will simply be too much for members of the blackhat community to resist.

That’s the problem. What’s the solution?

Which brings us back to the original point: the hacking, cracking and attacking of our routers (and by extension, our financial data), isn’t going to stop as long as there’s money to be made.

We’re just now starting realize that the defensive strategies of yesteryear are holding back the progression of what we could achieve tomorrow, and that a fundamental shift in mentality and industry practice could be necessary if we expect to keep our personal data out of criminal hands.

Next week, we’re going to dive into greater detail about the infections, viruses, and firmware exploits that continue to plague the threat landscape today. Now that we know the “why” of how hackers break through routers, it’s time to dig into the “how.”